miguelmorin's questions

I have a NodeJS server with HTTPS and certificates. The DNS is on CloudFlare.

The host receives a connection every day at 3:32am from 3.8.236.120, an AWS host in the UK. The crawler launches requests to the same 4 pages repeatedly around that time, 26 requests in 5 minutes. Although the number seems manageable, this is the most likely culprit, and the only activity the web server shows at that time every day.

I blocked the IP in the CloudFlare Web Application Firewall, along with others that have attacked in the past:

(ip.src in {194.48.199.78 5.43.32.229 92.220.10.100 107.172.137.111 193.169.254.179 149.3.170.66 47.243.233.244 3.8.236.120}) or (ip.geoip.country in {"IN" "ID"})

I checked that the rule is enabled. And yet, this IP address is still connecting to the server via DNS. Here is the server log for one connection:

GET /pt/sumario 200 143.483 ms - 13972
[2024-02-16T03:31:18.155Z] /pt/amostras  ::  ::ffff:3.8.236.120  ::  Python-urllib/3.11
[2024-02-16T03:31:18.156Z] Host =  ginja.org

I suspect there is some setting on CloudFlare that conflicts with this rule. How can I block all requests from this IP address?

Update

To answer the comments:

• I blocked the IPv6 address on CloudFlare and still get traffic from it.
• I don't know if the crawler accessed robots.txt because it was in the public directory and I didn't track its visits. I am tracking them now.
• One request every 12 seconds seems light indeed. But I get traffic from this crawler every day at the same time, and some days my server is down at that time, so I want to rule out this bot first. Also, I have another server checking every minute whether this one is up and running, and on the days I consider under attack, the server doesn't log any activity from the health checker, so it's possible that the crawler floods my server with so many requests at the same time that they don't get logged.

I am looking for a daily budget alert on my AWS usage, for example in case I leave an EC2 instance running or if a user requests too many one-time passcodes on SNS. I already use monthly budget alarms, and CloudWatch alarms attached to EC2 instances.

In 2020 AWS announced daily granularity on Budgets for some customers:

Daily budget granularity is already available to Savings Plans and Reservation budget users.

On AWS Budgets, I do not have the option to create a daily budget. I only see "Zero-spend budget", "Monthly budget" and "Daily Savings Plan Coverage Budget".

Does AWS offer daily budget alarms for the general user?

After two years of running a website (https://emocoes.org), today for the first time it does not open on Safari. It opens on other browsers (Firefox, Chrome, Chromium, Opera), but on Safari I see:

Safari Can't Open the Page

Safari can't open the page "emocoes.org" because the server unexpectedly dropped the connection. This sometimes occurs when the server is busy. Wait for a few minutes and try again.

Following Safari cannot open the page because the server stopped responding , I refresh the page, but see the same error.

The NodeJS logs do not show any GET request from Safari, and they do show them from Firefox. I clear the cookies and the cache from Safari and get the same error. If I open the page in a private window, then I can access the website, but I still need to fix this error for users who access the website on Safari. If the problem is specific to Safari and macOS, I will move the question to Apple.StackExchange.

What is the problem and how can I fix it?

update

Without having made further changes, the website is still failing on the same tab of Safari, and it works on the same instance of Safari but on a different tab. So the problem was likely from my computer and I will consider a reinstallation.

Yesterday around 21:30 GMT, my server on AWS Lightsail crashed. I cannot connect to it through SSH. I am also unable to connect to a separate small server, which checked the uptime of the first. I can connect through browser SSH, but not with SSH, even after restarting the instances.

Since these are two separate servers with no public connection to each other, I wonder if Lightsail may have some technical issues. But as I am on the Basic plan, support is not included.

How can I investigate the problem?

update

I checked four of the logs in /var/log: auth.log, apport.log, kern.log and syslog on the Lightsail instance running a bitnami image and a NodeJS server.

kern-log showed the culprit. Usually it has very few entries, about 5. Around this date, it has 500 lines, starting with:

Jan 29 21:39:41 ip-172-26-9-252 kernel: [    0.000000] Initializing cgroup subsys cpuset

and ending with:

Jan 29 21:39:41 ip-172-26-9-252 kernel: [   20.435952] audit: type=1400 audit(1643492358.140:11): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/lxd/lxd-bridge-proxy" pid=708 comm="apparmor_parser"

The other Lightsail instance, running a different image on a different region, and not set up as a web server, shows similar entries around that time. The first line is:

Jan 30 07:27:17 ip-172-26-5-35 kernel: [    0.000000] Initializing cgroup subsys cpuset

and the last is:

Jan 30 07:27:17 ip-172-26-5-35 kernel: [    9.476419] cgroup: new mount options do not match the existing superblock, will be ignored

So this seems to have been a Lightsail issue, since it affected two separate instances at about the same time. How can I confirm that?

My website has an area restricted to users who sign up with a valid email. I have got requests with bogus emails, and I want to avoid sending emails to non-existent addresses lest they increase the bounce rate and hurt my sending reputation.

The emails are:

[email protected]
[email protected]
kWQcHVzn%40ypEcDvh.NwB

The last one has %40, the HTML entity for @. The emails are truncations of the same character sequence.

Inspecting IP address of the requests with reverse DNS, all three requests come from cache.google.com. If the requests come from Google's crawler, I would expect these email addresses to be documented, but I could not find any reference.

In case it is the Google crawler, I want it to index the website while avoiding send email addresses to bogus addresses. I have already implemented filtering on the address looking for that character sequence.

Is there a list of bogus addresses that deep web crawlers use to gain access and index hidden pages?

Update

Following the answer and the comment pointing at verifying that Googlebot is the crawler, I confirmed that it is not:

$ host 212.113.167.197
197.167.113.212.in-addr.arpa domain name pointer cache.google.com.
$ host cache.google.com
Host cache.google.com not found: 3(NXDOMAIN)

So indeed, it seems a malicious user, which explains why that email address is not documented as coming from Google.

I handle a NodeJS server with an SSL certificate issued by Let's Encrypt. It works on some clients (Safari and Firefox on my macOS) and not others (curl on my macOS, Safari on iOS). The notice on iOS is:

Not trusted

Expired 30/09/21 07:01:15

The notice on curl is:

curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option.

Inspecting the certificate shows that dates are valid. I found this warning from Let's Encrypt:

The DST Root CA X3 root certificate expired September 30 14:01:15 2021 GMT.

...

If your site is working for most devices but not for some, the problem is with their trust store (their list of trusted root certificate).

...

macOS, iOS etc

Some operating systems hold onto the expired R3 > DST Root CA X3 chain even if your server is no longer using it. Try a restart of the affected client device.

I forced a renewal of the certificate, copied the private key and the full chain to the NodeJS location, and restarted the server. I restarted the iOS device. The new date shows on my browsers and on the iOS device. But the iOS device still does not trust the website.

The website is www.emotionathletes.og .

How can I ensure that all clients get the right certificate chain and can visit the website?

I use a Bitnami NodeJS instance on AWS. I found in the Bitnami docs](https://docs.bitnami.com/aws/get-started-lightsail/) that I have to manually keep a Wordpress installation updated. But for the OS, I could not find whether it keeps itself updated or if I need to update packages and the distribution updated by manually running sudo apt-get update && sudo apt-get upgrade periodically. Does anyone know and can provide a reference?

I want to restrict SSH connections to my server to a country only. I tried GeoIP and Ipfilter without success (Location of authpriv.notice logs on Bitnami). Another solution would be to configure a rule on Cloudflare, which is the DNS for my server, to block all SSH connections from a different country. Looking at the Cloudflare rules, it does not seem a standard option: the closest options seem to be Referer, Request method, and HTTP version. And yet, Cloudflare has a post from 3 years ago mentioning SSH access through Cloudflare, so I would think it is standard by now.

Is it possible to block or allow SSH connections to a server on Cloudflare?

I have CloudFlare for domains that point to AWS instances. I set up a CloudFlare firewall rule to block traffic by country, where I manually included embargoed countries.

AWS has the Web Application Firewall that can do the same:

AWS WAF provides inline inspection of inbound traffic at the application layer to detect and filter against critical web application security flaws from common web exploits that could affect application availability, compromise security, or consume excessive resources.

...

We have customers in public sector and financial services who use AWS WAF to block requests from certain geographical locations, like embargoed countries, by applying geographic match conditions.

Lightsail also has a firewall which can block traffic by IP address. I could not find a tutorial to set up an AWS Web Application Firewall to Lightsail instances.

Is that possible?

On my server, I track clicks to external websites that serve as references. Recently, visitors from Russia have been clicking on http://emotionathletes.org/redir?url=http://freedatingsiteall.com, for example, and I found it listed on this chinese website among others:

http://www.epropertywatch.com/email/75b8755ffe434c20bb5363e490172ba1/track/click?url=https%3A%2F%2Ffreedatingsiteall.com
http://emotionathletes.org/redir?url=http://freedatingsiteall.com
http://toonsfactor.com/cgi-bin/at3/out.cgi?l=tmx7x302x16457&s=55&u=http://freedatingsiteall.com

I changed the source code to 404 all external websites that are not in source code. I checked the SSH logs and the server has not been compromised.

At most, a user who clicked on that link would be redirected to the masked link. So I don't understand why a fraudster would do this. It could be click fraud to increase results of a campaign (some links have utm GET parameters) or a way to increase traffic to a website by masking it as another.

Does such a method have a name, and is it low risk as I expect?

I have a Bitnami server, Ubuntu Xenial, on AWS LightSail. I followed this tutorial to restrict SSH connections by country. This script ipfilter.sh filters IP addresses:

#!/bin/bash
# License: WTFPL

# UPPERCASE space-separated country codes to ACCEPT
ALLOW_COUNTRIES="US UK"
LOGDENY_FACILITY="authpriv.notice"

if [ $# -ne 1 ]; then
  echo "Usage:  `basename $0` " 1>&2
  exit 0 # return true in case of config issue
fi

if [[ "`echo $1 | grep ':'`" != "" ]] ; then
  COUNTRY=`/usr/bin/geoiplookup6 "$1" | awk -F ": " '{ print $2 }' | awk -F "," '{ print $1 }' | head -n 1`
else
  COUNTRY=`/usr/bin/geoiplookup "$1" | awk -F ": " '{ print $2 }' | awk -F "," '{ print $1 }' | head -n 1`
fi
[[ $COUNTRY = "IP Address not found" || $ALLOW_COUNTRIES =~ $COUNTRY ]] && RESPONSE="ALLOW" || RESPONSE="DENY"

if [[ "$RESPONSE" == "ALLOW" ]] ; then
  logger -p $LOGDENY_FACILITY "$RESPONSE sshd connection from $1 ($COUNTRY)"
  exit 0
else
  logger -p $LOGDENY_FACILITY "$RESPONSE sshd connection from $1 ($COUNTRY)"
  exit 1
fi

And I set it up with:

sudo -y apt-get install geoip-bin geoip-database

sudo echo "sshd: ALL" > /etc/hosts.deny
sudo echo "vsftpd: ALL" >> /etc/hosts.deny

sudo echo "sshd: ALL: spawn /path/to/file/ipfilter.sh %a" > /etc/hosts.allow

I restarted the SSH daemon with sudo systemctl restart ssh.service. I attempt a connection from another country and check the files /var/log/syslog and /var/log/auth.log, which do not show this event. The file /etc/rsyslog.conf does not show the location of logging for the authpriv facility.

How can I check that this IP filter is working?

I run a NodeJS web application with packages up to date and secured with a strong password and RSA for ssh.

The application runs on two domains. I check the request headers to get the domain and found some weird requests that had no headers:

console.log(req.headers); // prints `{}`

Near the time of these requests, I also get other weird ones, such as /nmaplowercheck1602743285, /HNAP1, and /evox/about.

I could throttle or black-list the IP of origin, though probably these are only proxy IPs. The last two routes are from 5-6 different countries.

What is this behavior, and is it anything to worry about?

I need to use a Windows machine for a program that only works on Windows. I set up a Windows 10 virtual machine on Azure. On the Azure portal, at the virtual machine, under Connection, I see the details for RDP and it works with the Microsoft Remote Desktop app from the app store.

I also want to connect with SSH. Clicking on that item next to RDP, I see:

Ensure you have read-only access to the private key.
chmod 400 <name>.pem

without any indication of where to download or upload that key.

I opened port 22 on the Azure portal following these directions, and I also installed OpenSSH Server following the PowerShell section of these directions, including starting the service:

> Set-Service -Name sshd -StartupType 'Automatic'
> Get-NetFirewallRule -Name *ssh*

Name                  : OpenSSH-Server-In-TCP
DisplayName           : OpenSSH SSH Server (sshd)
Description           : Inbound rule for OpenSSH SSH Server (sshd)
DisplayGroup          : OpenSSH Server
Group                 : OpenSSH Server
Enabled               : True

From my local machine, the SSH times out to the public IP of the virtual machine:

$ ssh user@<public-ip>
ssh: connect to host <public-ip> port 22: Operation timed out

I am able to SSH into other virtual machines, so I don't think my firewall is the problem.

How can I connect to a Windows 10 virtual machine over SSH?

I am managing two domain names and want to redirect one to the other. I set up a domain forwarding with 301 permanent redirection from domain S (source) to domain T (target). The server on domain T redirects all HTTP to HTTPS. The browser is redirected if I visit http://<domain-S>.

If I visit https://<domain-S> (note the S for TLS), I see:

Firefox detected a potential security threat and did not continue to <domain-S>.  ...

Firefox does not trust this site because it uses a certificate that is not valid for <domain-S>. The certificate is only valid for the following names: shortener.secureserver.net, www.shortener.secureserver.net

Error code: SSL_ERROR_BAD_CERT_DOMAIN

Please note that the HTTPS configuration is working well for <domain-T>. I believe that the problem is that the SSL certificate for https://<domain-T> is being served for https://<domain-S>.

How can I redirect the domain before serving the certificate?

I have a server on AWS and bitnami redirecting SSL on port 443 to <some-port>. When I list processes listening on that port, most often I see only one line, and sometimes I see two, with the second one related to my IP and my ISP:

$ lsof -i :<some-port>
$ COMMAND     PID    USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
.node.bin <pid> bitnami   <2-digits>u  IPv6 <number>      0t0  TCP *:<some-port> (LISTEN)
.node.bin <pid> bitnami   <2-digits>u  IPv6 <number>      0t0  TCP ip-<some-ip>.<AWS-region>.compute.internal:8443->a<my-ip>.<my-ISP-domain>:<5-digits> (ESTABLISHED)

When I run the command immediately after, I only see the first line.

What is this second connection?

I started a NodeJS application with forever start app.js. The code had a bug and the server is not running and not responding. When I launch it again with npm start, I see that the port is already in use:

events.js:288
      throw er; // Unhandled 'error' event
      ^

Error: listen EADDRINUSE: address already in use :::3000
    at Server.setupListenHandle [as _listen2] (net.js:1309:16)

When I list the processes using that port, I see none:

$ sudo  netstat -ltnp | grep -w ':3000'
$ fuser 3000/tcp
$ lsof -i :3000

How can I stop an application started with forever start?

I set up a modem as a range extender as in this thread. Initially I set it to WDS-only and could connect only via ethernet, so I wanted to login to the modem and change to Hybrid to also connect via wifi. With the default IP of the modem, I go instead to the router page.

Following these methods, I looked at the DHCP table on the router, which does not list the MAC address of the modem. I also tried pinging the broadcast address and then checking the result of arp -a. It returned 5 IP addresses, none with the modem's MAC address. One address timed out, all others gave an error Safari can't open the page.

My machine is connected to the modem and has an IP address that does not show on the router's DHCP table, hence I believe the modem is doing Network Address Translation, as in How to access an adsl modem/router in bridged mode?.

I turned off the router, restarted the modem, got into the router's page, and changed the mode to "hybrid", so now I can connect via wifi. I also set the LAN IP of the modem to 192.168.2.1 to have a different range than the router and left the same netmask (255.255.255.0). I confirmed that I can access this page when the modem is not bridged.

When bridged, the page at 192.168.2.1 does not respond from my machine plugged in to the modem with an ethernet cable or on the modem's wifi.

How can I find the IP address of the bridged modem or access the modem's page when bridged?

I am trying to reset the GPU of my Azure virtual machine (NVIDIA GPU Cloud Image running on Standard NV6 running Ubuntu 16.04.1) to get reproducible results on a deep learning algorithm. I found this NVIDIA help page, which explains that I cannot reset individual GPUs of a DGX-1 server:

In the case of the DGX-1 and DGX-1V platforms, individual GPU's can not be reset because they are linked via nvlink, so all the GPU's have to be reset simultaneously.

How can I find if the GPU on my Azure machine belongs to a DGX-1 server?

I create a virtual machine and copy my DOCKERFILE to it. The last line of the Docker file calls a shell script that runs Tensorflow and TensorBoard, which visualises the results of TensorFlow on port 6006:

tensorboard --logdir=/tmp/vae &

I SSH into the machine, build a docker image, and run docker wiring the Docker port to the virtual machine port:

docker run -it -p 6006:6006 imageID

And I see that TensorBoard is running:

TensorBoard 1.12.0 at http://2e4a59c22f1d:6006 (Press CTRL+C to quit)

I add a new inbound security rule for port 6006, so I can connect the IP of my local computer to port 6006 of the virtual machine.

I confirm that the ports are open with Python portping and confirm that port 6006 of the virtual machine is open to my local machine, and that port 6006 of the docker container is open to the virtual machine.

Yet, when I point a browser to the IP of the Azure virtual machine with suffix :6006, I see nothing!

How can I view the TensorBoard running on the virtual machine?